Wednesday, November 21, 2007

This statute, which was added to the federal code in December of 2004 by § 6702(a) of Title VI of Public Law # 108-458, criminalizes disseminating hoax information about possible terrorist or military attacks.

It's codified as 18 U.S. Code §1038. Section 1038 has two different prohibitions, the first of which appears in § 1038(a)(1). It provides as follows:

Whoever engages in any conduct with intent to convey false or misleading information under circumstances where such information may reasonably be believed and where such information indicates that an activity has taken, is taking, or will take place that would constitute a violation of chapter 2, 10, 11B, 39, 40, 44, 111, or 113B of this title, section 236 of the Atomic Energy Act of 1954 (42 U.S.C. 2284), or section 46502, the second sentence of section 46504, section 46505(b)(3) or (c), section 46506 if homicide or attempted homicide is involved, or section 60123(b) of title 49, shall--

(A) be fined under this title or imprisoned not more than 5 years, or both;

(B) if serious bodily injury results, be fined under this title or imprisoned not more than 20 years, or both; and

(C) if death results, be fined under this title or imprisoned for any number of years up to life, or both.

The other substantive prohibition appears in section 1038(a)(2). It provides as follows:

Any person who makes a false statement, with intent to convey false or misleading information, about the death, injury, capture, or disappearance of a member of the Armed Forces of the United States during a war or armed conflict in which the United States is engaged--

(A) shall be fined under this title, imprisoned not more than 5 years, or both;

(B) if serious bodily injury results, shall be fined under this title, imprisoned not more than 20 years, or both; and

(C) if death results, shall be fined under this title, imprisoned for any number of years or for life, or both.

Amazingly (to me, anyway), someone has been convicted of violating this statute. Actually, a number of people have been convicted of violating it, several for anthrax hoaxes. I’m more interested in the case I’m going to talk about because it involves publishing a story online, not sending a letter claiming to have deposited anthrax in a government facility.

According to the district court’s opinion in United States v. Brahm, 2007 WL 3111774 (U.S. District Court for the District of New Jersey), in September of 2006 Jake Brahm, who lived in Wauwatosa, Wisconsin, posted this message on the www.4chan.org site:

On Sunday, October 22, 2006, there will be seven “dirty” explosive devices detonated in seven different U.S. cities: Miami, New York City, Atlanta, Seattle, Houston, Oakland, and Cleveland. The death toll will approach 100,000 from the initial blast and countless other fatalities will later occur as a result from radio active fallout.

The bombs themselves will be delivered via trucks. These trucks will pull up to stadiums hosting NFL games in each respective city. All stadiums to be targeted are open air arenas excluding Atlanta's Georgia dome, the only enclosed stadium to be hit. Due to the open air the radiological fallout will destroy those not killed in the initial explosion. The explosions will be near simultaneous with the city specifically chosen in different time zones to allow for multiple attacks at the same time.

The 22nd of October will mark the final day of Ramadan as it will fall in Mecca, Al-Qaeda will automatically be blamed for the attacks later through Al-Jazeera, Osama Bin Laden will issue a video message claiming responsibility for what he dubs “America's Hiroshima”. In the aftermath civil wars will erupt across the world both in the Middle East and within the United States. Global economies will screech to a halt and general chaos will rule.

The opinion says the post “became a news story of some national prominence” in the days leading up to October 22, even though the authorities did not take it seriously.

Federal agents tracked Brahm down and he was indicted for violating §§ 1038(a)(1) and (a)(2). He moved to dismiss the indictment, arguing that the phrase “may reasonably be believed” in §1038(a)(1) had to be construed in light of his target audience. United States v. Brahm, supra.

Brahm claimed that “reasonably” had to be interpreted in a way that took into account whether the "audience addressed by false or misleading information would believe it to be true.” United States v. Brahm, supra. He argued for a subjective audience-sensitive interpretation of “reasonably,” so he could be held liable only if the government could prove that the readers of the www.4chan.org website would have believed his statement. The prosecution argued that it should be interpreted to permit a conviction if, under the circumstances, a reasonable person would have believed the posting. The district court reviewed the use of “reasonableness” in other threat statutes, and agreed with the government. United States v. Brahm, supra.According to news stories, Brahm was a 20-year-old grocery clerk living with his parents. An FBI agent said Brahm thought it would be funny to post the story because he thought it was so preposterous no one would believe it. As to that, the agent, Richard Ruminski, said, "`It's a hoax. It's nonsense, not a credible threat. . . . But in a post 9-11 world, you take these threats seriously. It's almost like making a threat going onto an airplane -- you just don't do it’”.

The district court denied Brahm’s motion to dismiss the indictment on October 19, which wasn’t very long ago. I can’t find any reported developments in the case since then. He faces up to 5 years in prison on the federal charge. He was extradited to New Jersey for prosecution there.

The district court did not consider whether Brahm’s posting – the joke – was protected by the First Amendment, though it noted that the First Amendment protects humorous speech, even when it’s false. So that may be an issue he will raise in the future.

In its opinion, the court cited the famous War of the Worlds broadcast as a hoax that “might not qualify as something within the reasonable belief required by the statute,” but “would represent the kind of intentionally false information anticipated by section 1038.” United States v. Brahm, supra. It noted that “a fictitious broadcast of a terrorist attack on a major city with the goal of making a . . . political or artistic statement, causes greater concern, as . . . expressive, protected speech . . . might be affected” by the statute. United States v. Brahm, supra. In a footnote, the court pointed out that the War of the Worlds broadcast and 1983 and 1994 broadcasts dealing with fictional terrorist attacks provided disclaimers intended to alert the audience to their fictional nature. United States v. Brahm, supra.

The disclaimers in the 1983 and 1994 broadcasts were repreated throughout the shows. The War of the Worlds disclaimers did not begin until that show had been on the air for 40 minutes. They came after a number of New York police officers invaded the control room of the studio from which the broadcast was originating. The officers seemed to think they should arrest someone, but weren’t sure who to arrest or for what. According to one story I’ve read, Welles expected to be arrested immediately after the broadcast ended, but the police finally gave up and left because they still couldn’t figure out what to charge him or anyone else involved in the broadcast with.

It looks like Welles could have been prosecuted under § 1038, if it had existed at the time. I’m not sure anything in the radio play would violae § 1038(a)(1), but I believe members of the armed forces die fighting the armed Martian invaders in the “War of the Worlds” radio script, so that would probably violate § 1038(a)(2). He could try to defend himself by pointing out the inherent incredibility of the broadcast, i.e., by arguing that no one would be silly enough to really believe we were under attack by Martians . . . but a lot of people were silly enough to believe just that in 1939.

I’m not sure where I come out on this statute. I can definitely see the utility of being able to prosecute people who pull off anthrax and similar hoaxes. There, though, the conduct is far less ambiguous: They send letters or other messages claiming to have planted anthrax – or bubonic plague or bombs or the horrors of your choice – somewhere it can do a great deal of damage. Conduct like that is a threat, just as it’s a threat for John to tell Jane he’s going to kill her.

Our law has no difficulty criminalizing that kind of speech because what is being criminalized is not speech, as such – it’s the act of using speech to terrorize people (and perhaps cause consequential injuries and damage, as in the anthrax hoax cases). The speech at issue in the Brahm case is very different: He did not send a threat directly to anyone. He probably did go beyond what Orson Welles did because the “War of the Worlds” broadcast was purely expressive speech – art, in other words. Brahm claimed that what he posted was a joke – a satire analogous to the stories posted on The Onion, say. If it’s satire, it should not be criminalized.

The problem Brahm faces is to a great extent one of context: In the direct, anthrax kind of hoax, the hoaxer sends the functional equivalent of a threat to his victims. The prosecution’s theory in the Brahm case seems to be that he perpetrated an indirect kind of hoax by putting his joke online, where it could be read by anyone. Context comes into play in deciding whether a post like Brahms’ will reasonably be understood by those who read it as (i) satire or (ii) a credible threat report. If he’d posted his joke on an obviously satiric site like The Onion, would that take it out of the category of a criminal hoax under § 1038? Or are there some things we just cannot joke about at the beginning of the twenty-first century?

Monday, November 19, 2007

When someone is hired to create a website for a business, does so, turns it over to the business but isn’t paid for their work, who owns the site . . . the website creator or the business that contracted for it?

That’s the issue the New Mexico Supreme Court addressed in State v. Kirby, 141 N.M. 838, 161 P.3d 883 (2007). You can find the opinion on the New Mexico Supreme Court’s website, if you’re interested.

The facts in the case are pretty simple. Here is how the court explained what happened:

[Richard] Kirby owned a small business, Global Exchange Holding, LLC. . . . Kirby hired Loren Collett, a sole proprietor operating under the name Starvation Graphics Company, to design and develop a website. The two entered into a website design contract. As part of the contract, Kirby agreed to pay Collett $1,890.00, plus tax, for his services.

Collett . . . designed the web pages and incorporated them into the website, but he was never paid. When Kirby changed the password and locked Collett out from the website, Kirby was charged with one count of fraud over $250 but less than $2,500, a fourth degree felony. New Mexico Statutes Annotated § 30-16-6. The criminal complaint alleged that Kirby took `a Website Design belonging to Loren Collett, by means of fraudulent conduct, practices, or representations.’

State v. Kirby, supra. After a jury convicted him of the charge, Kirby appealed to the Court of Appeals, which upheld his conviction. He then appealed to the Supreme Court. State v. Kirby, supra.

Kirby claimed he couldn’t be convicted of defrauding Collett out of the website because the website belonged to him, Kirby. Kirby argued, in effect, that he could not defraud himself. The New Mexico Supreme Court therefore had to decide who owned the site.

The Court of Appeals found that “because a `website includes the web pages,’ and Kirby never paid Collett for the web pages as contractually agreed, ownership remained with someone other than Kirby”, i.e., remained with Collett. The Supreme Court agreed with “that reasoning as far as it goes,” but decided “further analysis may assist the bar and the public in understanding this . . . novel area of the law.” State v. Kirby, supra.

We first turn our attention to the legal document governing the agreement between Collett and Kirby the `Website Design Contract.’ Collett was engaged `for the specific project of developing . . . a World Wide Website to be installed on the client's web space on a web hosting service's computer.’ Thus, the end product of Collett's work was the website, and the client, Kirby, owned the web space. Kirby was to `select a web hosting service’ which would allow Collett access to the website. Collett was to develop the website from content supplied by Kirby.

While the contract did not state who owned the website, it did specify ownership of the copyright to the web pages. `Copyright to the finished assembled work of web pages’ was owned by Collett, and upon final payment Kirby would be `assigned rights to use as a website the design, graphics, and text contained in the finished assembled website.’ Collett reserved the right to remove web pages from the Internet until final payment was made. Thus, the contract makes clear that Collett was, and would remain, the owner of the copyright to the web pages making up the website. Upon payment, Kirby would receive a kind of license to use the website.

State v. Kirby, supra.

Kirby conceded the site “`contained copyright material that belonged to Loren Collett’” but claimed Collett's ownership of the copyright was “separate from ownership of the website. Thus, because the contract only specified ownership of the copyright interest in the web pages and not ownership of the website,” Kirby argued that “from the very beginning he and not Collett owned the website.” State v. Kirby, supra.

Kirby argues that because he owned certain elements that are part of a website and help make it functional, he was the website owner regardless of who owned the copyright to the web pages. Kirby purchased a `domain name’ for the website and had contracted with an internet hosting service for `storage’ of that website. This same hosting service was the platform from which the website was to be displayed on the internet. Kirby, as the owner of the domain name and storage service, also owned the password that enabled him to `admit or exclude’ other people from the website. Kirby argues that his control of the password, ownership of the domain name, and contract with an internet hosting service provider gave him ownership of the web site.

State v. Kirby, supra.

The New Mexico Supreme Court disagreed:

While a domain name, service provider, and password are all necessary components of a website, none of them rises to the importance of the web pages that provide content to the website. A domain name is also referred to as a domain address. A domain address is similar to a street address, `in that it is through this domain address that Internet users find one another.’ . . . But it is nothing more than an address. If a company owned a domain name . . . but had no web pages to display, then upon the address being typed into a computer, only a blank page would appear. A blank web page is of little use to any business enterprise. It is the information to be displayed on that web page that creates substance and value. Similarly, the service provider only stores that information on the web pages and relays that communication to others. Having a service provider meant little to Kirby if the web pages were blank. Thus, the predominant part of a website is clearly the web page that gives it life.

State v. Kirby, supra.

The Supreme Court held that Collett owned the website: “the contract between Kirby and Collett clearly recognized Collett's legal ownership of the copyright to the web pages. Payment was to be the pivotal point in their legal relationship, and even then Kirby was only to receive a license to use those pages. The contract never transferred any interest in the web page design or ownership of the website to Kirby. As the owner of the copyright, Collett was the owner of the website, and any change was conditioned upon payment.” The court therefore upheld Kirby’s conviction.

Saturday, November 17, 2007

A few months ago I did a post about whether someone could be held criminally liable for causing another person to commit suicide.

In that post I primarily focused on whether it would be possible to hold a person criminally liable if the prosecution could show that this was their purpose, i.e., that they WANTED the other person to kill themselves.

And that is a logical possibility. As the drafters of the Model Penal Code, a template for criminal statutes, said of this scenario, “it’s a pretty clever way to commit murder.”

Here I want to talk about a different, but related issue: Whether someone can be held criminally liable for another’s suicide if it was not their purpose to cause the victim to kill herself, but their conduct in fact contributed to the victim’s doing so.

I’m prompted to write this post by what I’ve read recently of the Megan Meier case, the tragic story of the 13-year-old Missouri girl who committed suicide after being the victim of a MySpace hoax.

Here’s a summary of the facts of that case as they appeared in the St. Charles Journal: Thirteen-year-old Megan Meier lived with her parents in a Missouri suburb. She had attention deficit disorder, battled depression and had “talked about suicide” when she was in the third grade. She had been heavy but was losing weight and was about to get her braces off. She had just started a new school, and was on their volleyball team. She had also recently, according to her mother, ended an off-again, on-again friendship with a girl who lived down the street.

Megan had a MySpace page, with the permission of her parents. She was contacted by a sixteen-year old boy named Josh, who said he wanted to add her as a friend. Megan’s mother let her add him, and for six weeks Megan corresponded with Josh. Josh seems to have told her she was pretty and clearly gave her the impression that he liked her . . . at last, until one day when he sent her an email telling her he didn’t know if he wanted to be her friend because he’d heard she wasn’t “very nice” to her friends.

He seems to have followed that up with other, not-very-nice emails. And then, according to the news story I cited above, Megan began to get messages from others, saying she was fat and a slut. After this went on for a bit, Megan hanged herself in her closet and died the next day. Her father went on her MySpace account and saw what he thought was the final message from Josh – a really nasty message (according to her father) that ended with the writer telling Megan that the “world would be a better place without her.”

Megan’s parents tried to email Josh after she died, but his MySpace account had been deleted. Six weeks later, a neighbor met with them and told them there was no Josh, that he and his MySpace page were created by adults, the parents of the girl with whom Megan had ended her friendship. According to the police report in the case, which is quoted in the story cited above, this girl’s mother and a “temporary employee” created the MySpace page so the mother could “find out” what Megan was saying about her daughter.

It gets really murky from there, as to what was going on in the Megan-Josh correspondence, but it seems that others – including other children who knew Megan – had passwords to the Josh account and posted messages there. When the police interviewed this woman, she said she believed the Josh incident contributed to Megan’s suicide, but did not feel all that guilty because she found out Megan had tried to commit suicide before. (Actually, she seems to have talked about it in the third grade, as I noted above).

Megan’s parents and others in the community seem to have wanted the police to charge the adults who created and operated the Josh MySpace page with some type of crime for their role in Megan’s suicide. There are several reasons why they can’t be charged even if, as seems reasonable, their conduct was a factor resulting in Megan’s decision to take her own life.

One factor is that they clearly never intended for that to happen. I can’t begin to figure out what these adults thought they were doing (never mind the children involved), but whatever it was, they didn’t set out to kill Megan. They were, at most, reckless or negligent in embarking on a course of conduct that resulted in tragedy.

Every state makes it a crime to cause another person’s death recklessly or negligently. The difference between the two types of homicide goes to the foreseeability of the result.

You act recklessly if you consciously disregard and substantial and unjustifiable risk that the result (death) will result from your conduct. So to be liable for recklessly causing Megan’s death, these adults would have had to have been aware, at some level, that what they were doing could cause her to kill herself. If they were actually aware that this was a possibility and persisted in sending emails that could cause this result, then they could be held liable for reckless homicide.

You act negligently if a reasonable person (an objective standard) would have realized that your conduct created a risk that Megan could commit suicide. Here, the law looks not at what the allegedly culpable person actually knew, but at what a reasonable person, the average American adult, would have realized in this situation. So if the law finds that a reasonable person would have realized there was a risk that Megan would kill herself if that person conducted the Josh hoax, they could be held liable for negligent homicide.

I sympathize with Megan’s parents and I cannot comprehend why adults had nothing better to do than to play such a cruel trick on a child, but however stupid and cruel their conduct was, those responsible for the Josh hoax cannot be held liable under either standard. To explain why, I’m going to use a very recent Minnesota case: Jasperson v. Anoka-Hennepin Independent School District (Minnesota Court of Appeals, Case # A06-1904, decided October 30, 2007).

It’s a very sad case. The opinion says, “J.S. was a 13-year-old eighth-grade student . . . . who lived with his mother and father and his older brother.” He’d been having trouble in school: He had received failing grades in his classes, but was bringing his grades up. He was being bullied by two boys who attended a different school (a school for students with “behavioral problems”). According to the opinion, they grabbed his bike, told J.S. they knew where he lived and which room in the house was his and threatened to kill him. His mother met with Assistant Principal Ploeger at J.S.’ school and told him all this. Ploeger said he’d see that the boys were charged with trespassing on school property, but told her she’d have to talk to the school liaison police officer Wise about protecting J.S. from the boys. Ploeger advised J.S. to leave school by a different route or leave with friends. Wise met with J.S. and his mother, determined that no crime had been committed and suggested he walk with friends and avoid the boys.

A week or two later, J.S. got F’s in his mid-quarter grades for all his classes except for Physical Education. According to one student, J.S.’ science teacher Lande told him he was the “dumbest student” the teacher had ever had, and that he was “going nowhere.” Lande later said he had been angry and may have spoken louder than he intended. The observing student said J.S. cried afterward. The family discussed J.S.’ grades that night, and he said it was his teachers’ fault. He also said he couldn’t concentrate because the two boys were handing around his school. J.S.’ mother told him she’d talk to the school about getting him a new science teacher and about dealing with the two boys.

The next day, J.S.’ father, mother and brother left for work and school before he did, which wasn’t unusual. He often rode to school with friends. When J.S.’ brother came home that afternoon, he found J.S. dead on the living room floor, with a suicide note beside him. J.S. had shot himself. In the note he said his life was going nowhere so he didn’t need to live, left his love for his family and his dog and said he’d miss them.

The parents brought a civil suit against the school, claiming the school’s negligence caused J.S.’ suicide. The trial court held that J.S. suicide was not foreseeable, so the parents didn’t have a claim. The Minnesota Court of Appeals agreed:

[T[he record does not support assertions that any school personnel knew or had reason to know that J.S. continued to have problems with the two boys [or[ that J.S.'s failing grades were caused by his terror of the two boys. . . . Mere speculation or conjecture is not sufficient. . . . The district court did not err in concluding that given the evidence, Ploeger, Wise and Lande could not have foreseen any harm to J.S.

Jasperson v. Anoka-Hennepin Independent School District, supra.

Both courts also found that the evidence did not establish that Ploeger’s and Lande’s conduct caused J.S. to commit suicide:

Appellant argues that the school district failed to protect J.S. from a known danger; was in a position to end J.S.'s “terror” and should have anticipated that its failure would likely result in J.S.'s harm; and was in a far superior position to end the threats from the two boys than J.S. or his parents. But the record does not show that anyone at the school had any knowledge that J.S. was subject to harm from the two. The record does not suggest any change in J.S.'s behavior indicating that he was experiencing terror, and none of J.S.'s friends alerted school personnel that J .S. was in fear. There is no evidence that J.S.'s suicide was foreseeable and therefore could have been prevented.

Appellant relies on the fact that J.S.'s midterm grades and a suicide note containing the same words Lande allegedly used were found at his side as evidence that Lande's remarks were a substantial factor in bringing about J.S.'s suicide. But “a mere possibility of causation is not enough.” The district court did not err in concluding that, as a matter of law, the required causal connection between the conduct of school personnel and this tragic suicide is not established by evidence in the record.

As you may have read, Donald Kerr, a deputy director of national intelligence, said last week Americans need to re-think their conception of privacy. He said privacy will no longer mean anonymity but will, instead, mean that government and the private sector will have to take appropriate steps to “safeguard people’s private communications and financial information.”

I’m not sure if I agree with him or not, so I thought I’d use this post to sort through my reactions to Kerr’s comments.

On the one hand, I don’t know that privacy has ever been synonymous with anonymity. My neighbors know who I am and where I live, as do the local police in my small Ohio suburb. I’m far from being anonymous to those around me. That, though, doesn’t mean I’ve lost my privacy. What I do in my home is still private, at least to the extent I pull the drapes and otherwise take some basic steps to shield what I’m doing from public view.

Maybe that’s what he means by equating privacy and anonymity . . . the notion that what I do in public areas is not private, at least not unless I take steps to conceal my identity and my activities. But that’s not a new notion – it’s common sense. As far as I know, no one has ever tried to argue that what they do in public (walk, drive, shop, go to a movie, rollerblade, whatever) is private under our Constitution . . . because they believed it was private or under some other theory.

Anonymity is not really an aspect of privacy under our Fourth Amendment law, except insofar as remaining anonymous makes it difficult or impossible for someone to tell what you’ve been doing in an area where you can readily be observed by others. Our Fourth Amendment law has traditionally been about the privacy of enclaves – your home, your office, your car, phone booths (when they still existed), and other physical (and perhaps intangible) places. One court, at least, has assumed that a password-protected website is a private enclave, analogous to these real-world enclaves. The Fourth Amendment also protects the containers (luggage, safes, lockers, sealed mail, DVD’s and other storage media) we use to store and to transport things. It is intended to prevent the police from intruding into real and conceptual spaces as to which we have manifested a reasonable expectation of privacy.

I don’t see where anonymity comes in to the traditional Fourth Amendment conception of privacy. The police can see John Doe walking down the street carrying a bag and really want to open that bag because they think he’s transporting drugs, but they can’t open it, or make him open it, just because they know who he is (John Doe). His lack of anonymity has no impact on the legitimate Fourth Amendment expectation of privacy he has in the contents of that bag. The fact that he’s carrying a bag is not private because anyone can see him carrying it. The contents of the bag, though, are private unless and to the extent that the bag is transparent; as long as it’s opaque, its contents are and will remain private.

Anonymity, as such, is actually the focus of a different constitutional provision: the First Amendment. The Supreme Court has interpreted the First Amendment as establishing the rights both to speak anonymously and to be able to preserve the anonymity of one’s associations. The Court has found that protecting anonymity in this context furthers free speech, political advocacy and other important values.

I think what Mr. Kerr is really talking about is an issue I’ve written on before: whether we have a Fourth Amendment expectation of privacy in the information we share with third-parties, such as businesses, Internet and telephone service providers and financial institutions. I think what he’s referring to is what I believe to be a widespread, implicit assumption among Americans, anyway: the notion that what we do online stays safely and obscurely online. I may be wrong, but I think we unconsciously tend to assume that the data we generate while online – the traffic data our ISP collects while we’re surfing the web and the transactional data companies collect from us when we make purchases or otherwise conduct business online – is entre nous . . . is just between me and my ISP or me and my bank or me and Amazon.

We know at some level that we are sharing that data with an uncertain number of anonymous individuals -- the employees of ISPs, banks, businesses, etc. – but we don’t tend to correlate sharing information with them with sharing that information with law enforcement. We essentially assume we are making a limited disclosure of information: I inevitably share data with my ISP as an aspect of my surfing the web or putting this post on my blog. I know I’m sharing information with the ISP, but I don’t assume that by doing that I’m also sharing information with law enforcement.

The problem with that assumption is, as I’ve noted before, that the Supreme Court has held that data I share with third-parties like banks or ISPs is completely outside the protections of the Fourth Amendment. According to the Court, I cannot reasonably expect that information I share with others, even with legitimate entities, is private. This means that under the Fourth Amendment, law enforcement officers do not have to obtain a search warrant to get that information.

(There are statutory requirements, but these both requirements go beyond the current interpretation of the Fourth Amendment and often provide less protection than that Amendment. They often allow officers to obtain third-party data without obtaining a search warrant; a subpoena or court order may suffice.)

So how does all of this relate to Mr. Kerr’s comments about anonymity and privacy? Well, at one point he said that we have historically equated privacy with anonymity but “in our interconnected and wireless world, anonymity - or the appearance of anonymity - is quickly becoming a thing of the past”. Actually, I’d tend to argue the opposite: I think cyberspace actually gives us more opportunities to remain anonymous than we’ve ever had.

Think about a pre-wired world. Think about the America of a hundred or a hundred and fifty years ago. Most Americans in this era, like most people throughout the millennia preceding that era, lived in small towns or villages. They pretty much knew everyone in the town or village where they lived. They traveled very little, both in terms of frequency and distance, so they lived their lives almost exclusively in that town or village. One consequence of this is that everyone in the town or village tended to know pretty much everything about everyone else. They knew who was having an affair with whom. They knew who was buying opium-based products at the general store and getting high. They knew who the drunks were and who the wife- and child-beaters were. They might not know everything that went on in each other’s homes behind closed doors, but they knew pretty much everything else.

The lives of those who lived in cities were probably not subject to quite so much scrutiny from their neighbors. My impression, though, is that city-dwellers during this and earlier eras tended to reside in a specific neighborhood, do their shopping in that neighborhood and generally socialize with people in that neighborhood. So much of what I said about town and village dwellers also applied to those who lived in cities. City dwellers probably had the possibility of going into other parts of the city to carry out their affairs, buy their opium products or otherwise engage in conduct they’d prefer not be widely known in the neighborhood where they resided.

My point is that there wasn’t much anonymity back then, or in all the years before then.

In modern America, we have much more control over the information we share with others. Our neighbors may still be able to pick up a lot of information about our habits and predilections, good and bad, but if we’re concerned about that we have alternatives: We can seclude ourselves in a remote area and commute to work, live in a high-rise and ignore our neighbors or take other means to reduce the amount of information that leaks out to those with whom we share living space. We may still buy our groceries and medications and clothing and other necessities from a face-to-face clerk (or not, as I’ll note below), but we can conceal our identity from the clerk by paying with case. We can try to obscure patterns in our purchases of necessities by patronizing various stores, in the hopes of interacting with different clerks. We can also rely on the fact that in today’s increasingly-urbanized, increasingly-jaded world clerks may not pay attention to use and our purchases because they don’t care who we are. We’re no longer joint components in a small, geographically-circumscribed social unit.

We can also take information about our purchasing habits and financial transactions out of local circulation by making purchases and conducting financial and other transactions online. This brings us back to Mr. Kerr’s comments. I may be wrong, but I don’t think we assume we’re anonymous when we conduct our affairs online. I do think we believe we are enhancing the privacy of our activities by removing them from the geographical context in which we conduct our lives. Online, I deal with strangers, with people who do not know Susan Brenner and, by inference, do not care what Susan Brenner is buying or selling or otherwise doing online.

Empirically, that’s a very reasonable assumption. The problem is that it founders on a legal and practical Catch-22: We conduct our online transactions with strangers who don’t know us and, by extension, don’t care about what we do. We therefore assume we have overcome the memory problem, the fact that historically those with whom we dealt face-to-face could, and would, remember us and our transactions. This brings us to the first, practical component of the Catch-22. Although we overcome the memory problem, we confront another problem: the technology we use to conduct our online transactions records every aspect of those transactions. We replace the uncertain memory of nosy clerks with disinterested but the irresistibly accurate transcription of machines.

The second, legal component of the Catch-22 is the issue I noted above – the recorded data we share with these third parties is not private under the Fourth Amendment and can, therefore, be shared with law enforcement. So in one sense we have more privacy as we move our activities online, and in another sense we have less.

I’m not sure what Mr. Kerr meant when he said that privacy now means that government and the private sector will have to take appropriate steps to “safeguard people’s private communications and financial information.” Does he mean we should revise our view of the Fourth Amendment to bring this information within its protections? Or does he mean we should enact statutes designed to accord a measure of privacy to this data by setting limits on how it can be shared with law enforcement?

Saturday, November 03, 2007

I’m going to explore some scenarios that might ensue from the current state of U.S. law on child pornography.

I’m not arguing that these or any scenarios will come to pass . . . . I'm just working through the logical possibilities, based on the current state of U.S. law dealing with real and not-real child pornography.

that the First Amendment does not preclude U.S. law’s criminalizing “real” child pornography, i.e., child pornography the creation of which involves the use of real children;

that the First Amendment does bar U.S. law from criminalizing virtual child pornography, i.e., child pornography the creation of which does not involve the use of real children but is, instead, based on computer-generated images (CGIs).

The Supreme Court held that the First Amendment does not prevent U.S. law from criminalizing real child pornography, even though it qualifies as speech under the First Amendment, because its creation involves the victimization of children, both physically and emotionally. Real child pornography is essentially a product and a record of a crime, or crimes, against children. The Court also held that the First Amendment does prevent U.S. law from criminalizing virtual child pornography because it is speech and because no real person is “harmed” in its creation; unlike real child pornography, virtual child pornography is fantasy, not recorded reality.

We were covering this in my cyberspace law class, and I asked the students to think about where virtual child pornography’s protected status under the First Amendment might take us once computer technology evolves so it is possible to create virtual child pornography (or adult pornography or movies or any visual media) that are visually indistinguishable from the real thing. The question is, what might happen with virtual child pornography once the average person cannot tell it from child pornography the creation of which involved the use of real children? We came up with what I think are some interesting scenarios.

For one thing, it would not be illegal to possess this indistinguishable-from-the-real-thing virtual child pornography. That, alone, has several consequences. It could create real difficulties for law enforcement officers who are trying to find real child pornography and prosecute those to create, distribute and possess it. If a regular person cannot tell real from virtual child pornography by simply looking at a movie or other instance of child pornography, how are police involved in investigations supposed to know what they’re dealing with?

Another consequence could be that it becomes functionally impossible, or at least very difficult, for prosecutors to prove that someone being prosecuted for possessing real child pornography did so knowingly. The defendant could claim he or she believed the material he possessed was virtual, not real, child pornography. Since the prosecution has to prove the defendant “knowingly” possessed real child pornography beyond a reasonable doubt, it would presumably be difficult for prosecutors to win in cases like these (assuming the jurors followed the law and were not swayed by personal distaste for the defendant’s preferences in pornography).

Since U.S. jurisdictions cannot criminalize the possession and distribution of virtual child pornography, we might see the emergence of websites selling virtual child pornography. It would perfectly legal to sell the stuff in the U.S., to buy it or to possess it. Virtual child pornography would essentially have the same status as any other kind of fictive material; it is, after all, a fantasy, just as slasher movies or violent video games are fantasy.

To protect themselves and their clients, these hypothetical businesses might watermark the virtual child pornography they sold, to provide an easy way of proving that the stuff was virtual, not real. We talked a bit about this in my class. The watermark would have to be something that could withstand scrutiny and that would be valid, clearly credible evidence that child pornography was virtual, not real. Those who created and sold the stuff might be able to charge more if their watermark hit a gold standard – if it basically provided a guarantee that those who bought their product could not be successfully prosecuted for possessing child pornography.

The international repercussions of all this might be interesting; some countries, such as Germany, criminalize the creation, possession and distribution of all child pornography, real and virtual. The criminalization of all child pornography is the default standard under the Council of Europe’s Convention on Cybercrime, but the Convention allows parties to opt out of criminalizing virtual child pornography. So countries that take the same approach as the U.S. could also become purveyors of virtual child pornography. We could see a world in which virtual child pornography was illegal in some countries and for sale in others.

In analyzing where all of this might go, my students and I realized there could be one, really depressing implication of the commercialization of virtual child pornography: Real child pornography would probably become particularly valuable, because it would be the real thing.

Thursday, November 01, 2007

I spoke at a conference in Italy last week; after I spoke I got a question from a member of the audience. His question, which went to how and why we in the U.S. federalize certain crimes, made me think about a part of our history in a way I had not done before.

His question basically went to why we make it a federal crime for someone to hack the computer system of a private company. He was coming from the very logical premise that hacking the system of a private company is an attack on private property, so he wondered why that should become a federal crime.

In answering him, I recapped the history of the increasing federalization of crime in the U.S., something I’m going to repeat here. After I do that, I want to offer a few thoughts on what that history may, or may not, suggest about how we can go about dealing with cybercrime.

Until early in the twentieth century, crime in the U.S. was proscribed and prosecuted almost exclusively at the state level. There were some federal crimes, such as counterfeiting and treason, but they tended to be the exception. The drafters of the U.S. Constitution intended that crime would be handled primarily at the local level; a few years ago, an American Bar Association study found that this was their intention, the theory being that it makes more sense for crime to be punished as close as possible to the local community.

This theory derives both from history (that’s the way it had always been done) and from the assumption that handling crime at the local level was the best way to deter crime and encourage people to follow the law. The notion is, essentially, that the closer we are to the process of prosecuting and punishing criminal behavior, the more likely we are to take the process seriously and see it as something that could affect us.

That was the way things worked until about the second decade of the twentieth century, when automobiles began to become more common in the U.S. As they became more common, motor vehicles began to influence how certain crimes were being committed.

One crime, arguably a “new” crime at the time, was automobile theft: Someone could steal a car in, say, Ohio and drive it into Indiana or Illinois or Texas . . . which would pretty much defeat the Ohio police’s efforts to find the car and prosecute the thief. In other words, car thieves pretty quickly figured out that they could exploit state borders to their advantage; they figured out that each state only had jurisdiction to investigate crime within its borders. There really was no effective way for, say, Ohio officers to pursue a car thief into Indiana and then Illinois and however many other states he took the car into.

This concept of using the mobility of motor vehicles to elude apprehension and prosecution then migrated into other areas, such as kidnapping and bank robbery. As those of us who’ve seen the movie “Bonnie & Clyde” know, the 1930’s say the rise of bank robbing gangs who used high-speed automobiles to rob a bank in one state and then flee to another, thereby avoiding the police. Indeed, according to one book I read, Clyde went so far as to send Henry Ford a letter, thanking Ford for making such fast cars; Clyde assured Ford that he always preferred using Fords in his car thefts, both because they were so fast and because they were so common it was easy to hide out in them.

The question the Italian gentleman asked me last week made me think about all of this a little more deeply. In answering him, I realized something I had already known, but hadn’t really thought about: What American bank robbers and kidnappers and car thieves were doing 70 and 80 years ago is functionally indistinguishable from what cybercriminals are doing today. Both use(d) then-current technology to exploit the fact that states (whether discrete states in a federal system like ours, or nation-states in our global system) have jurisdiction only within their own borders.

In the law, there are two fundamental principles governing a sovereign state’s exercise of jurisdiction in criminal cases: One is that a sovereign state has jurisdiction to adopt law criminalizing conduct occurring within its territory and to sanction those who violate that law. The other principle is that one state (Ohio or France) cannot enforce its laws inside the territory of another state (Indiana or Italy). So, criminals – who generally tend to be among the first adopters of new technologies -- can use those principles against sovereign states by committing a crime in one state and then fleeing to another state or, for cybercrime, by remotely committing a crime in another state.

Okay, none of this is new. What I realized last week goes not to the fact that all of this has happened and is happening. It goes, instead, to the strategy the U.S. used to deal with the motor vehicle as criminal tool issue. It occurred to me that the strategy might, or might not, be an instructive example for how we could deal with cybercrime.

The way the U.S. dealt with the motor vehicle as criminal tool issue was to enact federal laws that made it a crime to, for example, steal a motor vehicle in one state and take it across state lines for the purpose of evading apprehension and to kidnap someone in one state and take them across state lines for the same purpose. In other words, the U.S.’ approach was to move to a supra-state system of laws, a national set of laws. This meant that the criminals could no longer find a safe haven: Federal authorities could chase them from Ohio to Indiana to Illinois and all the way to Texas, if necessary.

I thought of this last week both because it was relevant in answering the gentleman’s question and because it perhaps suggests something about how we need to approach cybercrime.

Like the 1930’s bank robbers, cybercriminals are using new technology to exploit the jurisdictional limitations of specific sovereigns to their advantage. Everyone recognizes that. The question is, what do we do about this?

The Council of Europe’s Convention on Cybercrime attempts to deal with the problem by encouraging countries to adopt standardized, consistent laws that (i) criminalize certain activities (such as hacking, child pornography, etc.) and (ii) facilitate law enforcement cooperation with officers from other countries. The goal, in effect, is to achieve a voluntary, lateral solution to the problem. The notion is that if the various nation-states all have a core of consistent laws criminalizing behaviors and specifying what police can do in collecting and sharing information about cybercrimes, then this will make it much more difficult for cybercriminals to exploit the parochial jurisdictional capacities of the various nation-states.

I like that solution because it is voluntary, and because it is lateral. As we all know, cyberspace favors the lateral, rather than the hierarchical, organization of human behavior. So this seems a flexible, adaptive solution. My only concerns with it are that (i) it may take a very long time to achieve this consensus and (ii) it may prove difficult to achieve consensus in certain areas, because national laws are bound up with local culture. We in the U.S. are already outliers because of our First Amendment; it means that we can, indeed must, host content that is criminalized elsewhere, a circumstance that will not change unless and until we eliminate that aspect of the First Amendment (which is highly unlikely).

What about the alternative? . . . What about a solution analogous to what the U.S. did with motor vehicle-facilitated crime about 80 years ago? Could we somehow adopt a set of supranational laws targeting cybercrime and use that to defeat cybercriminals’ ability to evade and frustrate the application of national laws?

As a federal system, the U.S. was in a perfect position to move to the next level – to shift to a higher-tier, system-wide set of laws targeting motor vehicle-facilitated crime. We do not have a global federal system or any thing comparable. We therefore do not have a structure which could be used to implement a similar approach, however logical it might be.

This brings me back to the comments I made in my last post, “A law of cyberspace.” On the one hand, a global, over-arching network of cybercrime laws, with an accompanying, equally-global enforcement system, would clearly be the optimum way to address the exploitation of jurisdictional limits by cybercriminals.

The first problem with that strategy is that we do not have an institution capable of achieving this; the United Nations is the only possible candidate for the task but this really does not come within its charter. The other problem is, as I noted in my last post, that nation-states tend to be possessive of their territory and jealously protective of their own, idiosyncratic laws. I think it will be a long, long time before a global solution to the cybercrime jurisdictional law problems will be a possibility, assuming, of course, that such a solution is desirable.